online|~/vraj_
$cd../projects
Detection Engineering, Alert Tuningcompleted

Security Monitoring & Detection Engineering_

Developed custom detection rules mapped to MITRE ATT&CK techniques and engineered log parsing pipelines to expand SIEM visibility across 15+ data sources.

MITRE ATT&CKDetection RulesSIEMWazuhSplunkPythonBash
security-monitoring-detection.mdreading

Overview

Built custom detection and monitoring capabilities at Apphaz, focusing on MITRE ATT&CK-aligned detection rules, log normalization across diverse data sources, and use-case driven detection queries for advanced threat scenarios.

Key Highlights

  • Developed custom detection rules for MITRE ATT&CK techniques including credential access (T1110 brute force), initial access (T1078 valid accounts), and persistence (T1053 scheduled tasks), improving detection coverage by 22%
  • Engineered log parsing and normalization scripts for application, firewall, and endpoint logs, expanding SIEM visibility and enabling correlation across 15+ disparate data sources
  • Implemented use-case driven detection queries for insider threats, privilege escalation, and anomalous authentication patterns, reducing investigation time by 30%

Rule Implementation Details

  • Brute Force (T1110): Developed logic to identify high-frequency authentication failures (Windows Event ID 4625) by correlating source IP addresses and target accounts, distinguishing between targeted account lockouts and broad spray attacks.
  • Scheduled Tasks (T1053): Implemented monitoring for suspicious task registration (Event ID 4698) and execution, filtering for common administrative tools (schtasks.exe, at.exe) used in non-standard directories or with encoded command-line arguments.
  • Valid Accounts (T1078): Created behavioral baselines for user authentication to detect "Impossible Travel" scenarios and logins from non-standard geolocation data points or VPN exit nodes.

Wazuh Rule Examples

Brute Force Detection (T1110):

<group name="authentication,brute_force,T1110,">

  <!-- Threshold: 5 failed logins from same source within 120s -->
  <rule id="100100" level="10" frequency="5" timeframe="120">
    <if_matched_sid>18104</if_matched_sid>
    <same_source_ip />
    <description>T1110 - Brute force: multiple authentication failures from $(srcip)</description>
    <mitre>
      <id>T1110</id>
    </mitre>
    <group>authentication_failures,</group>
  </rule>

  <!-- Password spray: failed logins to 3+ distinct accounts from same IP -->
  <rule id="100101" level="12" frequency="3" timeframe="300">
    <if_matched_sid>18104</if_matched_sid>
    <same_source_ip />
    <different_dstuser />
    <description>T1110.003 - Password spray: $(srcip) targeting multiple accounts</description>
    <mitre>
      <id>T1110.003</id>
    </mitre>
    <group>authentication_failures,</group>
  </rule>

</group>

Suspicious Scheduled Task Creation (T1053.005):

<group name="persistence,T1053,schtasks,">

  <!-- Scheduled task created via command line -->
  <rule id="100200" level="10">
    <if_sid>61600</if_sid>
    <field name="win.eventdata.parentCommandLine" type="pcre2">(?i)cmd\.exe|powershell|pwsh</field>
    <field name="win.eventdata.commandLine" type="pcre2">(?i)schtasks\s+/create</field>
    <description>T1053.005 - Scheduled task created via CLI: $(win.eventdata.commandLine)</description>
    <mitre>
      <id>T1053.005</id>
    </mitre>
    <group>process_creation,</group>
  </rule>

  <!-- Scheduled task with encoded or obfuscated arguments -->
  <rule id="100201" level="13">
    <if_sid>100200</if_sid>
    <field name="win.eventdata.commandLine" type="pcre2">(?i)(-enc|-encodedcommand|frombase64|hidden)</field>
    <description>T1053.005 - Scheduled task with encoded/hidden arguments detected</description>
    <mitre>
      <id>T1053.005</id>
      <id>T1059.001</id>
    </mitre>
    <group>process_creation,evasion,</group>
  </rule>

</group>

Valid Account Anomaly Detection (T1078):

<group name="authentication,valid_accounts,T1078,">

  <!-- Login from new source IP not seen in baseline -->
  <rule id="100300" level="8">
    <if_sid>18103</if_sid>
    <list field="srcip" lookup="not_address_match_key">etc/lists/known_login_sources</list>
    <description>T1078 - Successful login from previously unseen source $(srcip) by $(dstuser)</description>
    <mitre>
      <id>T1078</id>
    </mitre>
    <group>authentication_success,</group>
  </rule>

  <!-- After-hours login (outside 07:00-19:00) -->
  <rule id="100301" level="8">
    <if_sid>18103</if_sid>
    <time>7pm - 7am</time>
    <description>T1078 - After-hours authentication by $(dstuser) from $(srcip)</description>
    <mitre>
      <id>T1078</id>
    </mitre>
    <group>authentication_success,</group>
  </rule>

</group>